MAC address spoofing

Media Access Control (MAC) randomization can be used for increased privacy by not disclosing your real MAC address to the network. This article gives several methods to spoof a MAC address.

There are two methods for spoofing a MAC address: installing and configuring either iproute2 or macchanger. Both of them are outlined below.

First, you can check your current MAC address with the command:

# ip link show interface

where interface is the name of your network interface.

The section that interests us at the moment is the one that has "link/ether" followed by a 6-byte number. It will probably look something like this:

link/ether 00:1d:98:5a:d1:3a

The first step to spoofing the MAC address is to bring the network interface down. It can be accomplished with the command:

# ip link set dev interface down

Next, we actually spoof our MAC. Any hexadecimal value will do, but some networks may be configured to refuse to assign IP addresses to a client whose MAC does not match up with any of known vendors. Therefore, unless you control the network(s) you are connecting to, use MAC prefix of any real vendor (basically, the first three bytes), and use random values for next three bytes. For more information please read Wikipedia:Organizationally unique identifier.

To change the MAC, we need to run the command:

# ip link set dev interface address XX:XX:XX:XX:XX:XX

Where any 6-byte value will suffice for XX:XX:XX:XX:XX:XX.

The final step is to bring the network interface back up. This can be accomplished by running the command:

# ip link set dev interface up

If you want to verify that your MAC has been spoofed, simply run ip link show interface again and check the value for 'link/ether'. If it worked, 'link/ether' should be whatever address you decided to change it to.

Another method uses macchanger (a.k.a., the GNU MAC Changer). It provides a variety of features such as changing the address to match a certain vendor or completely randomizing it.

Install the package macchanger.

The spoofing is done on per-interface basis, specify network interface name as interface in each of the following commands.

The MAC address can be spoofed with a fully random address:

# macchanger -r interface

To randomize only device-specific bytes of current MAC address (that is, so that if the MAC address was checked it would still register as being from the same vendor), you would run the command:

# macchanger -e interface

To change the MAC address to a specific value, you would run:

# macchanger --mac=XX:XX:XX:XX:XX:XX interface

Where XX:XX:XX:XX:XX:XX is the MAC you wish to change to.

Finally, to return the MAC address to its original, permanent hardware value:

# macchanger -p interface

udev allows you to perform MAC address spoofing by creating systemd.link(5) files or udev rules.

To set a static spoofed MAC address:

/etc/systemd/network/01-mac.link

[Match]
PermanentMACAddress=original MAC

[Link]
MACAddress=spoofed MAC

To randomize the MAC address on every boot, set MACAddressPolicy=random instead of MACAddress=spoofed MAC.

Use address attribute to match the correct device by its original MAC address and change it using the ip command:

/etc/udev/rules.d/81-mac-spoof.rules

ACTION=="add", SUBSYSTEM=="net", ATTR{address}=="original MAC", RUN+="/usr/bin/ip link set dev $name address spoofed MAC"

Below you find two examples of systemd units to change a MAC address at boot, one sets a static MAC using ip and one uses macchanger to assign a random MAC address. The systemd network-pre.target is used to ensure the MAC is changed before a network manager like Netctl or NetworkManager, systemd-networkd or dhcpcd service starts.

systemd unit setting a predefined MAC address:

/etc/systemd/system/macspoof@.service

[Unit]
Description=MAC Address Change %I
Wants=network-pre.target
Before=network-pre.target
BindsTo=sys-subsystem-net-devices-%i.device
After=sys-subsystem-net-devices-%i.device

[Service]
Type=oneshot
ExecStart=/usr/bin/ip link set dev %i address 36:aa:88:c8:75:3a
ExecStart=/usr/bin/ip link set dev %i up

[Install]
WantedBy=multi-user.target

systemd unit setting a random address while preserving the original NIC vendor bytes. Ensure that macchanger is installed:

/etc/systemd/system/macspoof@.service

[Unit]
Description=macchanger on %I
Wants=network-pre.target
Before=network-pre.target
BindsTo=sys-subsystem-net-devices-%i.device
After=sys-subsystem-net-devices-%i.device

[Service]
ExecStart=/usr/bin/macchanger -e %I
Type=oneshot

[Install]
WantedBy=multi-user.target

A full random address can be set using the -r option, see #macchanger.

Append the desired network interface to the service name (e.g. eth0) and enable the service (e.g. macspoof@eth0.service).

Reboot, or stop and start the prerequisite and requisite services in the proper order. If you are in control of your network, verify that the spoofed MAC has been picked up by your router by examining the static, or DHCP address tables within the router.

You can use a netctl hook to run a command each time a netctl profile is re-/started for a specific network interface. Replace interface accordingly:

/etc/netctl/interfaces/interface

#!/usr/bin/env sh
/usr/bin/macchanger -r interface

Make the script executable.

Source: akendo.eu (archive)

NetworkManager supports two types MAC Address Randomization: randomization during scanning, and for network connections. Both modes can be configured by modifying /etc/NetworkManager/NetworkManager.conf or by creating a separate configuration file in /etc/NetworkManager/conf.d/ which is recommended since the aforementioned configuration file may be overwritten by NetworkManager.

Randomization during Wi-Fi scanning is enabled by default, but it may be disabled by adding the following lines to /etc/NetworkManager/NetworkManager.conf or a dedicated configuration file under /etc/NetworkManager/conf.d:

/etc/NetworkManager/conf.d/wifi_rand_mac.conf

[device]
wifi.scan-rand-mac-address=no

MAC randomization for network connections can be set to different modes for both wireless and ethernet interfaces.

In terms of MAC randomization the most important modes are stable and random. stable generates a random MAC address when you connect to a new network and associates the two permanently. This means that you will use the same MAC address every time you connect to that network. In contrast, random will generate a new MAC address every time you connect to a network, new or previously known. You can configure the MAC randomization by adding the desired configuration under /etc/NetworkManager/conf.d:

/etc/NetworkManager/conf.d/wifi_rand_mac.conf

[device-mac-randomization]
# "yes" is already the default for scanning
wifi.scan-rand-mac-address=yes
 
[connection-mac-randomization]
# Randomize MAC for every ethernet connection
ethernet.cloned-mac-address=random
# Generate a random MAC for each Wi-Fi and associate the two permanently.
wifi.cloned-mac-address=stable

To configure MAC randomization for a specific connection (for example, if the network does not like random MAC addresses), edit the connection to set 802-11-wireless.cloned-mac-address to one of the modes (e.g. stable or random).

See the following GNOME blog post for more details.

wpa_supplicant can use random MAC address for each ESS connection(AP) (see [2] for details).

Add this to your configuration:

/etc/wpa_supplicant/wpa_supplicant-wlan0.conf

mac_addr=1
preassoc_mac_addr=1
gas_rand_mac_addr=1

To randomize the MAC address when iwd starts (see iwd.config(5) for details):

/etc/iwd/main.conf

[General]
AddressRandomization=once
AddressRandomizationRange=full

Specifying AddressRandomization enables control over when MAC address is randomized. If set to disabled MAC is not spoofed and AddressRandomizationRange is ignored. If set to once MAC is assigned every time iwd is started. If set to network MAC is spoofed once for each network and reused for each connection to a known network.

Specifying AddressRandomizationRange enables control over which part of the address is randomized. If set to nic, only the NIC specific octets (last three octets) are randomized. The permanent mac address of the network interface is used for the initial 3 octets. If set to full, all six octets of the address are randomized.

If you cannot connect to a DHCPv4 network and you are using dhcpcd, you might need to modify the dhcpcd configuration to obtain a lease.

• Wikipedia:MAC spoofing
• Macchanger GitHub page
• Article on DebianAdmin with more macchanger options